CMSC 858K Introduction to Secure Computation October 18, Lecture 19

Transcription

1 CMSC 858K Introduction to Secure Computation October 18, 2013 Lecturer: Jonathan Katz Lecture 19 Scribe(s): Alex J. Malozemoff 1 Zero Knowledge Variants and Results Recall that a proof-of-knowledge (PoK) is a protocol between a prover P and verifier V with the property that there exists a knowledge extractor K which can extract a witness from P in the case that V accepts. In this definition, we assume the prover is all-powerful, i.e., has no bound on its running time. We can weaken this notion by considering an argument-of-knowledge (AoK), which is defined equivalently to a PoK except the prover runs in polynomial time. We will demonstrate a constant-round ZKAoK (due to Feige and Shamir [FS89]) later in this lecture. 1 Using our constant-round ZKAoK protocol, we can achieve a constant-round coin-tossing protocol (due to Lindell [Lin03]). Finally, we can combine these results to achieve two-party computation with malicious security from any semi-honest protocol, and thus we get constant-round maliciously-secure two-party computation. 2 Witness Indistinguishability Before proceeding to our constant-round ZKAoK protocol, we need to discuss the notion of witness indistinguishability (WI). A protocol is witness-indistinguishable if a malicious verifier cannot distinguish which witness a prover is using. More formally: Definition 1 A protocol execution P, V is witness-indistinguishable if for all x, w 1, w 2 such that (x, w 1 ), (x, w 2 ) R L and for all polynomial time (malicious) verifiers V, } View V } P (x,w 1 ),V (x) (1k ) View V P (x,w 2 ),V (x) (1k ). Clearly ZK implies WI: } A ZK proof implies that there exists a simulator S such that View V P (x,w 1 ),V (x) (1k ) S(x)} and View V P (x,w 2 ),V (x) )} (1k S(x)}. We can also show that WI is preserved under parallel composition (by a standard hybrid argument). This implies the following corollary: Corollary 1 k-fold parallel repetition of the ZK proof for graph Hamiltonicity from Lecture 16 is a WIPoK with soundness error 2 k. 1 Besides having constant round ZKAoKs, we also have constant round ZKPoKs (due to Goldreich and Kahan [GK96]). However, we do not discuss this result further. 19-1

2 3 Constant-round ZKAoK We now show the Feige-Shamir protocol for constant-round ZKAoKs [FS89]. Let f be a one-way function. Feige-Shamir Protocol for Constant-round ZKAoKs P (x, w) V (x) y 1, y 2 r 1, r 2 0, 1} n WIPoK(f 1 (y 1 ) or f 1 (y 2 )) WIPoK(f 1 (y 1 ) or f 1 (y 2 ) or x L) y i = f(r i ) Theorem 2 The above protocol is a ZKAoK. Proof We prove this in two steps. We first show that the protocol is a ZK proof, and then we show that it is an AoK. Claim 3 The above protocol is a ZK proof. Let V be a cheating verifier. We construct a simulator S as follows: 1. Receive y 1, y 2 from V. Simulator S for V 2. Verify the PoK from V. If the proof fails, then abort. Otherwise, extract r such that f(r) y 1, y 2 }. 3. Run the final proof as an honest prover would, using witness r. It is easy to see that this simulator is computationally indistinguishable from the real execution by the WI property. Claim 4 The above protocol is an argument-of-knowledge. Let P be a (polynomial-time) cheating prover, and let K be the knowledge extractor that exists for the WIPoK of the statement f 1 (y i ) or f 1 (y 2 ) or x L. We construct a knowledge extractor K as follows: Knowledge Extractor K 1. Choose r 1, r 2 0, 1} k and compute y i = f(r i ) for i 1, 2}. 2. Run the (first) WIPoK using witness r If P succeeds in its WIPoK, then run K to extract either an r such that f(r) y 1, y 2 } or a witness w such that (x, w) R L. 19-2

3 If we can show that K does not extract an r such that f(r) y 1, y 2 } except with negligible probability, then this implies that K successfully extracts a witness w such that (x, w) R L except with negligible probability. Indeed, say K extracts r with f(r) y 1, y 2 } with probability p. Let p 1 be the probability that f(r) = y 1 and let p 2 be the probability that f(r) = y 2. Suppose p 1 is non-negligible. We can turn this into an attack on f as follows: Construct an attacker which, given y 1, chooses r 2 0, 1} k and sets y 2 = f(r 2 ), runs Step 2 of K with r 2 as the witness, and then runs Step 3 of K to extract f 1 (y 1 ). This attack succeeds with probability p 1 and thus p 1 must be negligible. Now, suppose p 2 is non-negligible. Let K be the same as K, except it uses witness r 1 in Step 2 instead of r 2, and let p 2 be the probability that K extracts r with f(r) = y 2 when used by K. By the WI property, it must be the case that p 2 p 2 is negligible. Now, a similar attack to the one described in the previous paragraph shows that p 2 must be negligible. Thus, K extracts r with f(r) y 1, y 2 } with negligible probability, completing the proof. 4 Constant-round Coin Tossing We can define the (two-party) coin-tossing functionality, F ct, as follows: Functionality F ct 0, 1} k Output: The functionality computes r 0, 1} k and outputs r to both parties. Now, consider the following protocol for realizing F ct : Coin-tossing Candidate Protocol #1 P 1 P 2 r 1 0, 1} k com(r 1 ) r 2 r2 0, 1} k r Output r 1 r 1, decom(com(r 1 )) 2 Output r 1 r 2 The problem is that this protocol, while it intuitively looks secure, is not simulatable when k is the security parameter (the protocol is in fact secure if k is some small fixed constant, such as 1). Consider the case of a malicious P 2 who sets r 2 to be some function of the commitment sent by P 1. The simulator is thus unable to fix r 1 such that r 1 r 2 = r for some uniformly chosen r, since r 2 depends on r 1. Thus, we modify this protocol by adding ZKAoKs such that P 1 proves knowledge of the committed value, allowing this value to be extracted by the simulator: 19-3

4 Coin-tossing Protocol P 1 P 2 r 1 0, 1} k com(r 1 ) ZKAoK that r 1 is the committed value r 2 r2 0, 1} k r 1 ZK argument that initial commitment was to r 1 Output r 1 r 2 Output r 1 r 2 We now prove that this protocol, due to Lindell [Lin03], securely realizes the F ct functionality. Proof Let P2 be a malicious party playing the part of P 2 in the coin-tossing protocol. We construct a simulator S for P2 as follows. Simulator S for P2 1. Query F ct, receiving back r. 2. Compute com(0) and send it to P2. 3. Simulate the ZKAoK about the validity of the previously sent commitment. 4. Receive r 2 from P2. 5. Send r 1 = r 2 r to P2. 6. Simulate the ZK argument that the initial commitment was to r 1. The proof is straightforward but involved; see [Lin03] for the details. We now show a simulator S for a malicious P 1. Simulator S for P1 1. Query F ct, receiving back r. 2. Receive a commitment from P1. 3. Verify the ZKAoK from P1 and extract r Send r 2 = r 1 r to P1. 5. Receive r 1 from P1. 6. Verify P1 s ZK argument, and thus r 1 = r 1 with high probability. Again, the proof is straightforward but involved; see [Lin03]. 19-4

5 References [FS89] Uriel Feige and Adi Shamir. Zero knowledge proofs of knowledge in two rounds. In Gilles Brassard, editor, Advances in Cryptology CRYPTO 89, volume 435 of Lecture Notes in Computer Science, pages , Santa Barbara, CA, USA, August 20 24, Springer, Berlin, Germany. [GK96] Oded Goldreich and Ariel Kahan. How to construct constant-round zero-knowledge proof systems for NP. Journal of Cryptology, 9(3): , [Lin03] Yehuda Lindell. Parallel coin-tossing and constant-round secure two-party computation. Journal of Cryptology, 16(3): , June